Lab Exercise – Protocol Layers
Objective
To learn how protocols and layering are represented in packets. They are key concepts for structuring networks that are covered in the text. The trace for this lab is here:
http://scisweb.ulster.ac.uk/~kevin/com320/labs/wireshark/trace-protocol-layers.pcap (although the main trace you will look at is from a site you pick such as www.ulster.ac.uk in the exam-ples which follow).
Requirements
Wireshark: This lab uses the Wireshark software tool to capture andexamine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents.Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It col-or-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can down-load it fromwww.wireshark.org for your personal computer. It is an ideal packet analyzer for our labs – it is stable, has a large user base and well-documented support that includes a user-guide http://www.wireshark.org/docs/wsug_html_chunked), and a detailed FAQ, rich functionality that in-cludes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer tech-nologies (if the OS on which it is running allows Wireshark to do so). It is already installed in the labs. A quick help guide to Wireshark display filters is here: http://openmaniak.com/wireshark_filters.php Wireshark is a core tool for any wireless ‘man in the middle’ or similar snooping attack. It is simply in-dispensable for those who wish to examine packets being transferred over a network – good or bad…..
Wireshark & Packet Sniffing Background
The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”)messages being sent/received from/by your computer; it will also typically store and/ordisplay the contents of the various protocol fields in these captured messages. A packetsniffer itself is passive. It observes messages being sent and received by applications andprotocols running on your computer, but never sends packets itself. Similar-ly, receivedpackets are never explicitly addressed to the packet sniffer. Instead, a packet snifferreceives a copy of packets that are sent/received from/by application and protocolsexecuting on your machine. Figure 1shows the structure of a packet sniffer. At the right of Figure 1are the protocols(in this case, In-ternet protocols) and applications (such as a web browser or ftp client)that normally run on your com-puter. The packet sniffer, shown within the dashedrectangle in Figure 1is an addition to the usual soft-ware in your computer, and consistsof two parts. The packet capture library receives a copy of every link-layer frame thatis sent from or received by your computer. Messages exchanged by higher layer protocols such as HTTP,FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that aretransmitted over physical media such as an Ethernet cable.
Figure 1: Packet Sniffer Structure
In Figure 1, the assumedphysical media is an Ethernet, and so all upper-layer protocols are eventual-lyencapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you allmessages sent/received from/by all protocols and applications executing in yourcomputer.
The second component of a packet sniffer is the packet analyzer, which displays thecontents of all fields within a protocol message. In order to do so, the packet analyzermust “understand” the structure of all messages exchanged by protocols. For example,suppose we are interested in displaying the various fields in messages exchanged by theHTTP protocol in Figure 1. The packet analyzer understands the format of Ethernetframes, and so can identify the IP datagram within an Ethernet frame. It also unders-tandsthe IP datagram format, so that it can extract the TCP segment within the IP datagram.Finally, it understands the TCP segment structure, so it can extract the HTTP messagecontained in the TCP seg-ment. Finally, it understands the HTTP protocol and so, forexample, knows that the first bytes of an HTTP message will contain the string “GET,”“POST,” or “HEAD,”.
Step 1: Capture a Trace
1. Launching Wireshark
You can type Wireshark in the run box of main Windows 8 start screen. Press the Windows key on the keyboard and type “wireshark”. If a problem launching it then see here1.
Figure 2: Wireshark in lab
2. Just close the dialog box which prompts you to install a new version. You will then see a startup
screen, as shown next.
Figure 3: Initial Wireshark Screen
3. Take a look at the left hand side of the screen – you’ll see an “Interface list”. This is the list of
network interfaces on your computer. Choose Ethernet.
1
It should load but there can be a problem with the new lab configuration for Wireshark and npf driver. Therefore if this is not working…. then please do the next step.Launch Wireshark as follows. Click desktop icon on main windows screen & use the file explorer to browse to C:\\local Disk (C)\\Program Files\\Wireshark. Finally, RIGHT CLICK on Wireshark as “Run as administrator”.